WLCG AuthZ Call
Proposed agenda:
- Announcements/Info
- vCHEP Submission
- VOMS Migration Strategy input
- IAM support migration to CERN IT-CDA
- Discussions:
- VOMS Importer Script (Andrea)
- id token claim for use by vault with kerberos (Dave, Andrea, Hannah)
- Capability Sets
- Dave to add examples & motivation
- https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/10
- Standardisation of CE capability requirements
- Token Propagation Workflow Doc
Zoom meeting:
Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!
Join Zoom Meeting
https://cern.zoom.us/j/94718857994
Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland
Dial by your location
+41 43 210 70 42 Switzerland
+41 43 210 71 08 Switzerland
+41 31 528 09 88 Switzerland
+33 1 7037 9729 France
+33 7 5678 4048 France
+33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4
Join by SIP
94718857994@188.184.85.92
94718857994@188.184.89.188
Join by H.323
188.184.85.92
188.184.89.188
Meeting ID: 947 1885 7994
Password: <see email>
Attendees: Hannah, Andrea, Andrei, Andrei, DaveD, DaveK, Enrico, Federica, Irwin, Jeny, Jim, Dave, Brian, DaveC, Mine, Maarten, Linda, Marcelo, ,Paul, Mischa, Tom
Notes:
- VOMS Migration
- No concept of username in VOMS but there is in IAM. We need a different approach
- Could concat several attributes
- Could have local accounts too
- Is username same as sub in the token? No, they are decoupled
- User accounts are tied to an HR record
- IAM relies on SSO identifier (cern_upn e.g. hshort), the PersonId is used to check against the HR DB
- Username is largely hidden to user since they log in through CERN SSO. They are private to an individual
- Using surnames may prove complicated, need to handle name change plus they can be very long
- Preference to use short, unique username (e.g. hshort or 127869234 personID)
- Nicknames were the way that community could set up a username syntax, would be good for VOs to be allowed to choose
- IAM requires unique email addresses, accounts are merged pending a manual review
- Several people have several accounts with the same email
- Better to NOT automatically merge in case of email recycling
- For VOs that already have Nickname = UPN instead VOMS this can be an easy migration process
- We do already have a few number of users that are already signed up - will that be an issue?
- No concept of username in VOMS but there is in IAM. We need a different approach
- Capability Sets
- Should add explicitly that server can reject the request
- Return the union of all scopes
Actions
- Andrea and Hannah to finalise which attributes should be used for migration between VOMS and IAM based on CERN SSO attribute (couple of weeks)
- DaveD modify capability set to require Union rather than overwrite of scopes
- DaveD to add that should return an error if someone doesn’t have the role assigned & Including the capability set in the result/group (not sure I captured this correctly)
- Andrea complete text for vCHEP Submission